compromising online accounts by cracking voicemail systems
play

Compromising online accounts by cracking voicemail systems Martin - PowerPoint PPT Presentation

Oct 28, 2023 •187 likes •768 views

Compromising online accounts by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com 8 2 1 6 C P C d n a e m r r c t l e d s a d m a b A A a L g n i y a l p e l i h w d

  1. Compromising online accounts by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com

  2. 8 2 1 6 C P C d ” n a e m í r r c t l e d s a í d m a b A A a L “ g n i y a l p e l i h w d e r u t p a C Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com

  3. History back to ezines

  4. “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence” Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm

  5. “Quickly Enter the following string: 123456789876543213579246864297314741933669944885522775395 96372582838491817161511026203040506070809001 (this is the shortest string for entering every possible 2-digit combo.)” Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard

  6. “Defaults For ASPEN Are: (E.G. Box is 888) …. Use Normal Hacking Techniques: ------------------------------- i.e. 1111 | \|/ 9999 1234 4321” A Tutorial of Aspen Voice Mailbox Systems, by Slycath

  7. “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number” Hacking Answering Machines 1990 by Predat0r

  8. Voicemail security in the ‘80s • Default PINs • Common PINs • Bruteforceable PINs • E ffi cient bruteforcing sending multiple PINs at once • The greeting message is an attack vector

  9. Voicemail security today checklist time!

  10. Voicemail security today Default PINs • Common PINs • AT&T • Vodafone • 111111 • Bruteforceable PINs • 4 last digits of client number • T-Mobile • 4 last digits of PUK for CallYa • E ffi cient bruteforcing • Last 4 digits of the phone number by entering multiple • Telekom PINs at once • Sprint • 4 last digits of card number • Last 7 digit of the phone number • The greeting • O2 message is an attack • Verizon vector • 8705 • Last 4 digits of the phone number

  11. Voicemail security today 2012 Research study by Data Genetics https://www.datagenetics.com/blog/september32012 Default PINs Common PINs • Bruteforceable PINs • E ffi cient bruteforcing by entering multiple PINs at once • The greeting message is an attack vector

  12. Voicemail security today Default PINs • Vodafone Common PINs • AT&T • 4 to 10 digits Bruteforceable PINs • 4 to 7 digits • T-Mobile • E ffi cient bruteforcing • Telekom • 4 to 7 digits by entering multiple PINs at once • Sprint • 4 to 10 digits • 4 to 10 digits • The greeting • O2 message is an attack • Verizon vector • 4 to 10 digits • 4 to 6 digits

  13. Voicemail security today Default PINs Common PINs • Supports multiple pins at a time Bruteforceable PINs E ffi cient bruteforcing • 0000#1111#2222# by entering multiple PINs at once • Without waiting for prompt • The greeting • or error messages message is an attack vector

  14. voicemailcracker.py bruteforcing voicemails fast, cheap, easy, e ffi ciently and undetected

  15. voicemailcracker.py • Fast • Easy • Fully automated • Uses Twilio’s APIs to make hundreds of calls at a time • Configured with specific payloads for major carriers • Cheap • E ffi cient • Entire 4 digits keyspace for $40 • Optimizes bruteforcing • A 50% chance of correctly guessing a 4 digit PIN for $5 • Tries multiple PINs in the same call • Check 1000 phone numbers for • Uses existing research to prioritize default default PIN for $13 PINs, common PINs, patterns, etc.

  16. Undetected

  17. Straight to voicemail • Use backdoor voicemail • Multiple calls at the same time • It’s how slydial service works in reality numbers • Call when phone is o ffl ine • No need to call the victim! • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • Query HLR database AT&T: 408-307-5049 Vodafone: XXX-55-XXXXXXXX • Online services like realphonevalidation.com Verizon: 301-802-6245 Telekom: XXX-13-XXXXXXXX • Class 0 SMS T-Mobile: 805-637-7243 O2: XXX-33-XXXXXXXX Sprint: 513-225-6245 • Reports back if it was displayed

  18. voicemailcracker.py • Fast • Easy • Fully automated • Uses Twilio’s APIs to make hundreds • Configured with specific payloads for major carriers of calls at a time • E ffi cient • Cheap • Optimizes bruteforcing • Entire 4 digits keyspace for $40 • Tries multiple PINs in the same call • A 50% chance of correctly guessing a • Uses existing research to prioritize default PINs, common PINs, patterns, etc. 4 digit PIN for $5 • Undetected • Check 1000 phone numbers for • Supports backdoor voicemail numbers default PIN for $13

  19. Bruteforce protections

  20. Different flavors in Germany Vodafone Telekom O2 Blocks the Caller ID from Resets to a 6 digit PIN Connects directly to accessing mailbox and sends it over SMS customer help-line or even leaving messages

  21. Caller IDs are cheap Vodafone Resets to a 6 digit PIN and sends it over SMS Telekom Blocks the Caller ID from accessing mailbox or even leaving messages O2 Connects directly to customer help-line

  22. voicemailcracker.py • Easy • Fast • Fully automated • Uses Twilio’s APIs to make hundreds • Configured with specific payloads for major carriers of calls at a time • E ffi cient • Cheap • Optimizes bruteforcing • Tries multiple PINs in the same call • Entire 4 digits keyspace for $40 • Uses existing research to prioritize default PINs, common PINs, patterns, etc. • A 50% chance of correctly guessing a • Undetected 4 digit PIN for $5 • Supports backdoor voicemail numbers • Bruteforce protection bypass • Check 1000 phone numbers for default PIN for $13 • Supports Caller ID randomization

  23. Demo bruteforcing voicemail systems with voicemailcracker.py

  25. Impact so what?

  27. What happens if you don’t pick up?

  28. Voicemail takes the call and records it!

  29. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, etc.) 3. Start password reset process using “Call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this automatically

  30. Demo compromising WhatsApp

  32. We done? Not yet…

  33. User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…

  34. Can we beat this recommended protection?

  35. Hint

  36. Another hint Default PINs Common PINs Bruteforceable PINs E ffi cient bruteforcing by entering multiple PINs at once The greeting message is an attack vector

  37. We can record DTMF tones as the greeting message!

  38. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, etc.) 4. Start password reset process using “Call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this automatically

  39. Demo compromising Paypal

  41. Vulnerable services small subset

  42. Password reset

  43. 2FA

  44. Verification

  45. Physical security

  46. Consent

  48. Open source

  49. voicemailautomator.py • No bruteforcing • Limited to 1 carrier • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: github.com/martinvigo/voicemailautomator

  50. Recommendations

  51. Still…do I care? if (carriersSetDefaultPins == TRUE) if (testingForDefaultPinsCheapFastUndetectedAutomatable == TRUE) if (updatingGreetingMessageAutomatable == TRUE) if (retrievingNewestMessageAutomatable == TRUE) if (speechToTextTranscription == TRUE) if (accountCompromiseIsAutomatable == TRUE) print “Yes, I should care”

  52. Recommendations for online services • Don’t use automated calls for security purposes • If not possible, detect answering machine and fail • Require user interaction before providing the secret • with the hope that carriers ban DTMF tones from greeting messages

  53. Recommendations for carriers • Ban DTMF tones from greeting messages • No default PIN • Eliminate backdoor voicemail services • Don’t allow common PINs • or at least no access to login • Detect and prevent bruteforce attempts prompt from them • Voicemail disabled by default • Don’t process multiple PINs at once • and can only be activated from the actual phone or online

  54. Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless required • or it’s the only way to get 2FA • use a virtual number to prevent OSINT and SIM swapping • Use 2FA apps only

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay Brain T2-Hyperintensity Sachs Stem Pelizaeus- B12 Metabolism U-Fibres Merzbacher Hypomyelination T1-Hypointensity CSF Salla LEUKODYSTROPHY

918 views • 62 slides
IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code: Value for Money Rickard Mills Council Member, IAPF THANK YOU SPONSOR Cracking the DC Code: Value for Money HOUSEKEEPING Cracking the DC Code:

1.04k views • 54 slides
MOVING INTO AND THROUGH PRISON: IMPROVED WELLBEING THROUGH THE SPARC AND PRISON VOICEMAIL

MOVING INTO AND THROUGH PRISON: IMPROVED WELLBEING THROUGH THE SPARC AND PRISON VOICEMAIL

MOVING INTO AND THROUGH PRISON: IMPROVED WELLBEING THROUGH THE SPARC AND PRISON VOICEMAIL INITIATIVES Lauren Mumby Supervised by Todd Hogue and Amanda Roberts ICPA, Montreal, 23 rd October 2018 IMAGINE Youve been locked in a room No

574 views • 21 slides
MMFCU Bill Pay Business Accounts Bill Pay for Businesses Businesses can sign up for Online Bill

MMFCU Bill Pay Business Accounts Bill Pay for Businesses Businesses can sign up for Online Bill

MMFCU Bill Pay Business Accounts Bill Pay for Businesses Businesses can sign up for Online Bill Pay and streamline the back office functions of their business. Features include: -Pay bills and view payment activity online anytime. - Delegate

414 views • 6 slides
Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/ mgk25/ CHES 2005, Edinburgh Compromising emanations 1914: German army valve amplifiers for eavesdropping ground return signals of

732 views • 29 slides
Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT

Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT

Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT Dependable Systems and Networks, June 29 th , 2017 Joint work with Saurabh Amin, MIT Pengfei Sun and Saman Zonouz, Rutgers 1 Focus of the talk Economic

470 views • 32 slides
twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

A RCHITECTURAL S TRUCTURES : Concrete in Compression F ORM, B EHAVIOR, AND D ESIGN ARCH 331 crushing D R. A NNE N ICHOLS vertical cracking S PRING 2018 tension lecture twenty six diagonal cracking shear f c

137 views • 3 slides
FROM VSmart TM the Product Captures & records... Calls Voicemail Text I.M. Mobile

FROM VSmart TM the Product Captures & records... Calls Voicemail Text I.M. Mobile

FROM VSmart TM the Product Captures & records... Calls Voicemail Text I.M. Mobile carrier & Patent protected, award handset agnostic winning* technology *Banking Technology 2015 Best Governance, Risk and Compliance Product or

286 views • 7 slides
DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger Pirk Eleni Petraki Strato Idreos Stefan Manegold Martin Kersten EVALUATING RANGE PREDICATES COMPLEXITY ON PAPER Scanning: O(n) Sorting:

910 views • 43 slides
Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of this presentation (if you stay awake), you will: Goals Setting Up Checking Injection Understand the different types of wireless keys

447 views • 13 slides
Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts

Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts

Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts Reporting Framework and SoRP Development Your questions and answers Some principles of charity accounting Published online information

984 views • 31 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
Student Accounts Presentation Student Accounts Student Accounts Our mission: Operate

Student Accounts Presentation Student Accounts Student Accounts Our mission: Operate

Student Accounts Presentation Student Accounts Student Accounts Our mission: Operate efficiently to provide excellent Bouillon Hall 110 customer service for students, parents, (509) 963-3546 university departments, and third parties.

676 views • 33 slides
COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX SECURITY09 Martin VUAGNOUX and Sylvain PASINI MODERN KEYBOARDS RADIATE COMPROMISING ELECTROMAGNETIC EMANATIONS THESE EMISSIONS LED TO A FULL OR A

861 views • 75 slides
Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Pedagogy in Virtual Classrooms Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by: Jayems Dhingra SIM University, Singapore Pedagogy in Virtual Classrooms Without Compromising the Quality of the

593 views • 15 slides
Agenda Phone Overview Layout Display Keys Working with Calls

Agenda Phone Overview Layout Display Keys Working with Calls

Agenda Phone Overview Layout Display Keys Working with Calls Answering Your Phone Forwarding Calls Place on Hold Transfer Working with Voicemail Setting up voicemail Listening

276 views • 12 slides
Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1

Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1

CS1007: Object Oriented Design and Programming in Java Lecture #5 Sept 20 Shlomo Hershkop shlomo@cs.columbia.edu Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1 Feedback Lots of UML

422 views • 24 slides
Traditions Ju July ly 25th th, 2013 3-4:30 p.m .m. ET Thank you for Th r jo joini ining

Traditions Ju July ly 25th th, 2013 3-4:30 p.m .m. ET Thank you for Th r jo joini ining

Tribal-State Court Collaboration Based on Native Justice Traditions Ju July ly 25th th, 2013 3-4:30 p.m .m. ET Thank you for Th r jo joini ining th the webin inar - You ou have logg logged on on su successfull lly. - All ll

1.03k views • 69 slides
Ethan C. McKinney, DPA Photo Child Support Director St. Joseph County, IN Prosecutors Office

Ethan C. McKinney, DPA Photo Child Support Director St. Joseph County, IN Prosecutors Office

2018 NCSEA Board of Directors Election Ethan C. McKinney, DPA Photo Child Support Director St. Joseph County, IN Prosecutors Office https://www.linkedin.com/in/ethan-mckinney-76479369/ 2018 NCSEA Board of Directors Election Ethan C.

436 views • 7 slides
Part rtnerin ing g to o Im Improve e He Healt lth h Equ quit ity y and d Outcomes s

Part rtnerin ing g to o Im Improve e He Healt lth h Equ quit ity y and d Outcomes s

Part rtnerin ing g to o Im Improve e He Healt lth h Equ quit ity y and d Outcomes s An n In Information n Ses Sessio sion n for or Co Community ity-Based d Organizations Presen ented d by y Mar arya Ging Gingrey, , J.D.

419 views • 29 slides
1 First, a quick overview of the presentation: Ill describe the multimode survey that

1 First, a quick overview of the presentation: Ill describe the multimode survey that

1 First, a quick overview of the presentation: Ill describe the multimode survey that formed the base of this analysis. Ill talk about the yield that came from different types of extra effort. Ill show the effect that

209 views • 17 slides
Question as You Arrive What is the ONE most urgent, nagging, burning issue or concern for you

Question as You Arrive What is the ONE most urgent, nagging, burning issue or concern for you

Question as You Arrive What is the ONE most urgent, nagging, burning issue or concern for you regarding what to keep and what to toss ? Write it on the card at your table or chair. What to Keep (and What to Toss) Identifying OSU Records

651 views • 38 slides
Stop the Drop: Profiles of Innovative Medicaid Renewal Initiatives and Lessons for 2014 and

Stop the Drop: Profiles of Innovative Medicaid Renewal Initiatives and Lessons for 2014 and

Stop the Drop: Profiles of Innovative Medicaid Renewal Initiatives and Lessons for 2014 and Beyond Kaiser Commission on Medicaid and the Uninsured May 14, 2013 Figure 1 Retention matters. Continuous coverage increases quality of care and

600 views • 36 slides
4/9/2012 Spring Clean Your Documents David A. Ericksen, Esq. Severson & Werson, A Professional

4/9/2012 Spring Clean Your Documents David A. Ericksen, Esq. Severson & Werson, A Professional

4/9/2012 Spring Clean Your Documents David A. Ericksen, Esq. Severson & Werson, A Professional Corporation One Embarcadero Center, 26th Floor, San Francisco, CA 94111 Direct Line: 415 677 5637; Fax: 415 956 0439 E mail:

424 views • 15 slides

More recommend